[12053] in bugtraq
NT Predictable Initial TCP Sequence numbers: SP5 update
daemon@ATHENA.MIT.EDU (Roy Hills)
Wed Sep 29 16:01:28 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.1.19990929141137.00bcbad0@192.168.124.1>
Date: Wed, 29 Sep 1999 14:12:06 +0100
Reply-To: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
From: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
As an update to my post about NT Predictable Initial TCP Sequence numbers
in NT 4 SP4 on 24 August, I've finally got around to running the TCP sequence
number tests on NT 4.0 SP5. Here are my findings:
SP5 has the same "one-per-millisecond" increment pattern as SP3 and previous
releases. So it appears that the change introduced in SP4 to make the
initial TCP sequence less predictable (but which didn't help and may have
even made the sequence _more_ predictable - see my previous post for details)
was taken out of SP5.
I've also recently seen a totally different NT initial TCP sequence number
pattern which consists of small positive increments (just like SP4) multiplied
by 64,000. I think that this could be a post-SP4 hotfix, but I haven't
confirmed
this yet. I'll post an update when I have more information about this.
Roy Hills
NTA Monitor Ltd
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
